Description
Lawnchair is a free, open-source home app for Android. Prior to commit fcba413f55dd47f8a3921445252849126c6266b2, command injection in release_update.yml workflow dispatch input allows arbitrary code execution. Commit fcba413f55dd47f8a3921445252849126c6266b2 patches the issue.
Published: 2026-04-21
Score: 7.4 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Apply Patch
AI Analysis

Impact

A command injection vulnerability has been identified in the release_update.yml workflow of Lawnchair. The flaw arises because user‑supplied input is not properly quoted, allowing shell metacharacters to be interpreted by the GitHub Actions runner. This is a CWE‑77 condition that enables attackers who can trigger the workflow dispatch to run arbitrary shell commands, effectively achieving remote code execution in the runner environment.

Affected Systems

The affected software is Lawnchair, an open‑source Android home app maintained by LawnchairLauncher. All releases that include the vulnerable workflow file before the commit fcba413f55dd47f8a3921445252849126c6266b2 are susceptible. Applying the referenced commit or any later release that incorporates it removes the flaw.

Risk and Exploitability

The CVSS score of 7.4 classifies this defect as high severity, while the EPSS score of less than 1% suggests exploitation is currently unlikely. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires that an attacker can invoke the release_update.yml workflow with sufficient permissions; the likely attack vector is an authorized user or compromised credentials capable of dispatching the workflow, after which arbitrary code would execute on the runner host.

Generated by OpenCVE AI on April 22, 2026 at 03:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the patch commit fcba413f55dd47f8a3921445252849126c6266b2 to update the release_update.yml workflow.
  • Restrict workflow dispatch permissions so that only trusted users or teams can trigger release_update.yml.
  • Configure branch protection on the release_update.yml file to prevent unauthorized edits.

Generated by OpenCVE AI on April 22, 2026 at 03:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 21 Apr 2026 01:45:00 +0000

Type Values Removed Values Added
Description Lawnchair is a free, open-source home app for Android. Prior to commit fcba413f55dd47f8a3921445252849126c6266b2, command injection in release_update.yml workflow dispatch input allows arbitrary code execution. Commit fcba413f55dd47f8a3921445252849126c6266b2 patches the issue.
Title Lawnchair vulnerable to Command Injection via unquoted workflow dispatch input in release_update.yml
Weaknesses CWE-77
References
Metrics cvssV4_0

{'score': 7.4, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-21T19:49:12.997Z

Reserved: 2026-04-07T19:13:20.379Z

Link: CVE-2026-39866

cve-icon Vulnrichment

Updated: 2026-04-21T15:56:14.076Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-21T02:16:06.807

Modified: 2026-04-21T20:16:58.627

Link: CVE-2026-39866

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T03:30:06Z

Weaknesses